Computer security and the prevention of cyber-attacks has become an important service for enterprises. Cyber-attacks may employ malicious software, delivered via a public network connection, to exploit a target computer or an enterprise network and execute malicious activity on the target. The malware may be designed by the malware author to evade detection.
Conventional network-based malware detection systems may monitor and analyze network content received, via a network connection, to determine if the content should be deemed malware. These conventional systems may use malicious signature databases to match content with known malware as well as static analysis engines and dynamic analysis engines to determine if the network content is malicious. A static analysis engine may scan the received network content and determine if characteristics of the content may be correlated with those of malware. Similarly, the dynamic analysis engine may process (e.g. execute) the network content in a virtualized computing engine, which may mimic one or more devices on the monitored network to identify malicious behaviors observed during processing which may be correlated with those of malware. Some systems may combine the correlations of a number of engines to classify the analyzed network content as malicious.
These conventional analysis techniques may also generate false negatives when the network content, delivered through the monitored network connection is configured to cloak malicious activities. It is desirable to provide enhanced detection techniques to avoid false negatives.